[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] cross site trace

From: Adrian Pastor <adrian.pastor@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] cross site trace
Date: Tue, 22 Jul 2008 11:07:34 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please, don't even tell me about ASV scans assigning vulns the same risk
level (usually higher than they should be), just because they share
something in common in the title of the vulnerability. i.e: 'XSS'.

It's really annoying, especially when a customer argues a risk level
because X automatic PDI DSS scanning provider has rated a reflective XSS
as a medium risk, even if it requires finding a vulnerability in a Flash
plugin that allows you to craft arbitrary HTTP methods or headers. Well,
that's not a medium risk, it's a low risk. Please let's not be
sensationalist!

- -- my rant for the day.

Raymond Forbes wrote: | Scanners always rate it as a high or critical. PCI auditors consider it | a "PCI" issue because it is tied with cross-site scripting. I am in the | process of making a justification about not prioritizing these as high | as other XSS vulns and was curious what is the general consensus. | | -Raymond | ----- Original Message ----- From: "Brian Shura" <bshura@xxxxxxxxxxxxx> | To: "'Raymond Forbes'" <rforbes@xxxxxxxxxxxxxx>; | <websecurity@xxxxxxxxxxxxx> | Sent: Friday, July 18, 2008 4:58 PM | Subject: RE: [WEB SECURITY] cross site trace | | |> Raymond, |> IE 6 is the only major browser that still supports TRACE, so I would |> agree |> that this is a low risk vulnerability. What does your scanner rate it |> as? |> |> -Brian |> |> -----Original Message----- |> From: Raymond Forbes [mailto:rforbes@xxxxxxxxxxxxxx] |> Sent: Friday, July 18, 2008 12:44 PM |> To: websecurity@xxxxxxxxxxxxx |> Subject: [WEB SECURITY] cross site trace |> |> So, this vulnerability keeps coming up on scans and audits. Considering |> the number of clients that even support trace has dramatically shrunk |> this would seem to me to not be a serious issue anymore. Not that I am |> saying it isn't worth fixing but when prioritizing with other |> vulnerabilities this ends up on the low side. |> |> Am I off base here? |> |> -Raymond |> |> |> |> |> | | | - ----------------------------------------------------------------------------

|
| Join us on IRC: irc.freenode.net #webappsec
|
| Have a question? Search The Web Security Mailing List Archives:
| http://www.webappsec.org/lists/websecurity/archive/
|
| Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
|
| Join WASC on LinkedIn
| http://www.linkedin.com/e/gis/83336/4B20E4374DBA
|
|

- --
Adrian P. | Senior IT Security Consultant | ProCheckUp Ltd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIhbFmUmN3xwbmU6YRAt8zAJ9Ti+AmUp+KBBCDEgmMa0ZMrYzvtACgtLEB
E4+TAY/7Fz3Nzm7RcFYv01w=
=KzLy
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] cross site trace
  - From: Raymond Forbes
- RE: [WEB SECURITY] cross site trace
  - From: Brian Shura
- Re: [WEB SECURITY] cross site trace
  - From: Raymond Forbes

Prev by Date: RE: [WEB SECURITY] cross site trace
Next by Date: Re: [WEB SECURITY] cross site trace
Previous by thread: RE: [WEB SECURITY] cross site trace
Next by thread: [WEB SECURITY] Web Application Security Professionals Survey (July 2008)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site